← Back to Fylo

Privacy Policy

Last updated: April 2026 · Compliant with the Digital Personal Data Protection Act, 2023 (DPDP)

Summary in plain language

Fylo is a free WhatsApp compliance co-pilot for Indian MSMEs. We collect only what is needed to read your GST notice and answer your compliance question. We never sell your data. You can ask us to delete everything at any time. Below are the details required by DPDP 2023 and the IT Act 2000.

1. What We Collect

When you use Fylo on WhatsApp, Telegram, or our web channel, we collect:

• Your phone number, used to identify your conversation
• Notice images, PDFs, voice notes, or text you send us
• Your typed messages and your language preference
• Your GSTIN, business name, and state when you provide them (optional)
• Operational metadata: timestamps, message IDs, basic device info from the messaging platform

2. How We Use Your Data

• To read and explain GST / ROC / labour-law notices in your language
• To answer your compliance questions and route urgent cases to a CA when you opt in
• To send filing reminders (only if you explicitly opt in)
• To improve Fylo using anonymised, aggregated patterns - never individual queries

3. Where Your Data Is Stored

Fylo's primary infrastructure is currently hosted in Singapore on Render. We chose this region as the closest available to India today; we will migrate to a Mumbai region the moment our infrastructure provider supports it.

Cross-border transfer disclosure: data leaves Indian territory only to reach our Singapore application server and our AI processors. Per DPDP 2023 Section 16, this notice is your disclosure of that transfer; by continuing to use Fylo you consent to it. Singapore has comparable data-protection standards, and we encrypt all data in transit and at rest.

4. Data Retention

• Conversation messages: retained 18 months after the last interaction, then anonymised
• Notice images, PDFs, and voice notes: deleted within 7 days of processing
• Voice transcripts: retained as text, treated like other conversation messages
• Account-level data (phone, GSTIN): retained while your account is active

5. Data Sharing

We do not sell your data. We do not share your personal information with third parties for advertising. We share data only with:

• Service providers strictly necessary to operate Fylo (see Section 8 below)
• A CA you explicitly choose through our marketplace, sharing only what is needed for that engagement
• Indian authorities only when legally compelled (lawful order, court direction)

6. Your Rights Under DPDP 2023

As a Data Principal you have the right to:

• Access your data - send "show my data" on WhatsApp
• Correct your data - send "correct my [GSTIN/state/business]" or contact our Grievance Officer
• Erase your data - send "delete my data" on WhatsApp; deletion completes within 7 days
• Withdraw consent - send "stop" on WhatsApp; processing stops immediately and erasure follows
• Nominate someone to exercise these rights on your behalf in case of incapacity
• Lodge a complaint with our Grievance Officer (below) or the Data Protection Board of India

7. Data Deletion

Send "delete my data" to Fylo on WhatsApp. Your account, messages, images, transcripts, and any cached AI outputs about you are removed from our systems within 7 days. Some operational logs (anonymised request IDs, error rates) may persist for up to 30 days for security purposes.

8. Third-Party Processors

Fylo uses a minimal set of regulated processors to operate:

• Meta WhatsApp Business Platform - delivers messages between you and Fylo
• Anthropic (Claude) - reads your notice images and answers compliance questions; does not retain your data for training
• OpenAI (Whisper) - transcribes voice notes; data is not retained for training under our API agreement
• Render - hosts our application and database in Singapore
• Razorpay - processes payments only when you choose a paid CA engagement (most users never reach this)

9. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Access is restricted to authorised personnel under a documented access-control policy. We follow industry-standard security practices including HMAC verification of inbound webhooks, timing-safe comparison for admin tokens, and rate limiting. Security incidents will be reported to affected users and CERT-In as required by law.

10. Children

Fylo is for adult business owners. We do not knowingly collect data from anyone under 18. If you believe we hold data on a minor, contact our Grievance Officer for immediate erasure.

11. Changes to This Policy

We will notify you of significant changes through WhatsApp before they take effect. The "Last updated" date at the top will always reflect the most recent revision.

12. Grievance Officer

Per IT Act 2000 Intermediary Guidelines and DPDP 2023, our Grievance Officer is reachable at grievance@getfylo.in. Complaints are acknowledged within 24 hours and resolved within 15 days.

13. Data Protection Officer

Our Data Protection Officer is reachable at dpo@getfylo.in for any DPDP-related questions, data-access requests, or correction requests.

14. Contact

For any other question about your data or this privacy policy, message us on WhatsApp or email hello@getfylo.in.